(12) United States Patent
`Peters
`
`USOO666.23OOB1
`(10) Patent No.:
`US 6,662,300 B1
`(45) Date of Patent:
`Dec. 9, 2003
`
`(54) SECURE PASSWORD PROVISION
`
`(75) Inventor: Matthew Francis Peters, Winchester
`(GB)
`
`(73) Assignee: International Business Machines
`Corporation, Armonk, NY (US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/342,554
`(22) Filed:
`Jun. 29, 1999
`(30)
`Foreign Application Priority Data
`May 8, 1999
`(GB) ............................................. 991.0572
`(51) Int. Cl." .................................................. H04L 9/00
`(52) U.S. Cl. ................
`713/182; 713/183; 713/187
`(58) Field of Search ................................. 713/182, 183,
`713/187
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`4,349,695 A * 9/1982 Morgan et al. .............. 340/5.8
`5,596,748 A
`1/1997 Kleewein et al. ........... 395/610
`5,661807 A * 8/1997 Guski et al. .........
`... 713/170
`5,774,551 A
`6/1998 Wu et al. ..................... 380/25
`
`JP
`WO
`
`5,841,871. A 11/1998 Pinkas ......................... 380/43
`5,845,070 A 12/1998 Ikudome ...................... 705/51
`5,910,986 A
`6/1999 Dove .......................... 380/43
`6,182,219 B1 * 1/2001 Feldbau et al. ............. 380/258
`FOREIGN PATENT DOCUMENTS
`8-249253
`9/1996 ........... GO6F/13/00
`99/O1993
`1/1999
`............ HO4O/7/OO
`OTHER PUBLICATIONS
`“A Survey of Web Security”, Aviel D. Rubin and Daniel E.
`Geer Jr., IEEE Computing, vol. 31, No. 9, pp. 34-41, Sep.
`1998.
`* cited by examiner
`Primary Examiner Thomas R. Peeso
`(74) Attorney, Agent, or Firm-Jeanine S. Ray-Yarletts
`(57)
`ABSTRACT
`The invention provides a method for providing, from a client
`computer acroSS a network, a Secure password to one or
`more remote computers. The method comprises the Steps of:
`obtaining a String associated with an application on one of
`the or each remote computer, obtaining a password from a
`user of the client computer, combining the String and the
`password irreversibly to generate a Secure password for the
`application; and providing only the Secure password to the
`one remote computer.
`
`8 Claims, 1 Drawing Sheet
`
`(user's Common password)
`
`
`
`(site's unique string)
`
`
`
`
`
`
`
`Hash Algorithm
`
`(site-specific password)
`
`PETITIONERS' EXHIBIT 1014
`
`Page 1 of 4
`
`

`

`U.S. Patent
`
`Dec. 9, 2003
`
`US 6,662,300 B1
`
`I "OIH
`
`Z * OIH
`
`
`
`
`
`: 9uueN J&Sn
`
`Page 2 of 4
`
`

`

`1
`SECURE PASSWORD PROVISION
`
`US 6,662,300 B1
`
`FIELD OF THE INVENTION
`The present invention relates to a method and apparatus
`operable within a client computer in a network for providing
`a Secure password to a remote computer.
`BACKGROUND OF THE INVENTION
`More and more internet Sites and applications are con
`trolling access by asking for uSerids and passwords. AS time
`goes by, users expect to acquire more uSerids, not leSS. At the
`Same time, it is a well known problem that users accessing
`Internet Sites may be prone to eavesdropping by third
`parties. Users are therefore encouraged to choose different
`passwords for different web sites or applications So that
`detection of a user's password on one site would not enable
`an eavesdropper to Successfully use the Same username and
`password on other Sites or applications to which the eaves
`dropper believes the user has access.
`Solutions to the problem of eavesdropping have been to
`implement one time passwordschemes. An example of Such
`a scheme is Skey from Bellcore.
`http://www.nic. Surfnet.nl/Surfnet/projectS/Surf-ace/mm
`lab/security/skey.html
`Such Schemes rely on both the client and Server having a
`copy of the user's password. Each time the client connects
`to the Server, the Server issues a different challenge. The
`password is combined with the challenge on both the client
`and Server normally using Some kind of hashing algorithm
`eg MD5. The client provides its result to the server and
`should the results match, the client is given access to the
`Server. A different challenge is issued each time the client
`accesses the Server, So that even if one password is detected
`by a third party, it is of no use in the future. It will be seen,
`however, that should the original password be seen when it
`is provided to the Server, the client's Security is compro
`mised not only on one Site but on any other site for which
`the user may use the same password.
`The problem is therefore how to generate a different
`password for each Site in Such a way that the user can
`remember them all.
`
`DISCLOSURE OF THE INVENTION
`Accordingly, the present invention provides a method for
`providing acroSS Said network a Secure password to one or
`more remote computers, Said method comprising the Steps
`of obtaining a String associated with an application on one
`of the or each remote computer, obtaining a password from
`a user of Said client computer; combining Said String and
`Said password irreversibly to generate a Secure password for
`Said application; and providing only Said Secure password to
`Said one remote computer.
`It should be seen that the term "client' is used to define
`any computer in communication with another computer. The
`invention is therefore applicable to, inter alia, a computer
`communicating in a peer-to-peer fashion with another
`computer, any type of computing device eg. a PDA, or an
`intermediate computer linking two other computers.
`The term String is also used to define an input to a means
`for combining application associated information with the
`password. The String could, for example, contain a number
`as in the case of a TCP/IP address or any other form of
`Suitable data.
`The present invention provides a method and apparatus
`whereby a user has to remember only one password, but the
`
`15
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`password that is given to each individual Internet Site,
`company or application is different, and no one site can work
`out the password given to other sites. This is both easy to use
`and Secure for users.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Embodiments of the invention will now be described with
`reference to the accompanying drawings, in which:
`FIG. 1 illustrates the password generation component of
`the method according to the invention; and
`FIG. 2 illustrates a dialog box for accepting a user
`password in a web browser.
`The invention is based on the premise that a user wishes
`to use a common uSerid and password for all sites and
`applications. For the purposes of Simplicity, the term Site
`will be used in the description, although it will be seen that
`any application can be adapted to employ the invention.
`In general the invention operates at the point at which a
`user enters their password, both for the first time and
`Subsequent times, where a site-specific password is con
`Structed from the combination of two things:
`1. the common password the user wants to use; and
`2. Some unique name or character String Supplied by or
`related to the site, FIG. 1.
`Preferably, a unidirectional algorithm, such as MD5, is
`used to construct this site-specific password, ie an algorithm
`where it is possible to compute the Site-specific password
`from the common password and the Site’s unique String, but
`where there is no simple algorithm to recover the common
`password from the Site’s unique String and the Site-specific
`password. This means that the information known to the Site
`or possibly an eavesdropper is not enough to recover the
`user's common password.
`
`DESCRIPTION OF THE PREFERRED
`EMBODIMENTS
`The preferred embodiment is described in terms of an
`implementation for a web browser, giving Some details of
`the way that current web browsers perform authentication,
`although the invention could be implemented Similarly in
`other client Software that implements authentication, for
`example, FTP and TELNET clients or even in general
`purpose applications.
`
`The URL
`An HTTP authentication scheme of particular interest
`works like this:
`A client running a browser Such as Netscape or Internet
`Explorer connects to a server hosting a site that requires
`authorisation;
`The web server replies with a 401 (unauthorised)
`response. This response contains a WWW-Authenticate
`header which contains a realm which is a simple
`quoted String. This realm defines a protection Space;
`that is, a given userid and password should be valid for
`all pages within a realm.
`In response to receipt of a 401 response, the client now
`displays a dialog box displaying the realm and root URL,
`and inviting the user to enter a uSerid and password. FIG. 2,
`for example, shows a dialog box where AISDoc is the realm
`and wa.hursley.ibm.com is the root URL.
`The user now enters a uSerid and password and the client
`creates a cookie which comprises the uSerid and password
`pair as a base-64 encoded String. The client then includes
`
`Page 3 of 4
`
`

`

`3
`this cookie in the credentials field of the Authorisation
`Header on each Subsequent request for a page within this
`realm.
`The preferred embodiment operates by altering the man
`ner in which the cookie is formed in the final step above, by
`passing the password through an extra Step to create a
`password Specific to the given site and realm as shown in
`FIG. 1. Although this requires an alteration to the web
`browser or other client Software, it does not require a change
`to HTTP or to the way Web servers work.
`Preferably, the extra Step comprises convolving the pass
`word with both the root URL (domain name) and the realm
`by a forward hash algorithm like MD5, before then com
`bining the result with the userid to form the cookie. The net
`effect will be that although the user can enter just their
`common password, the client Software will create a pass
`word which is unique to that realm, and from which the
`passwords for other realms cannot be deduced.
`The invention differs from systems like OPIE and S/KEY,
`because the password generated according to the invention
`is not necessarily a one-time password. One-time passwords
`Systems are intended to deal with the problem of Snooping
`or eavesdropping on the network. Although the invention
`does mitigate this problem, Since obtaining a uSerid and
`password pair by eavesdropping no longer enables an eaves
`dropper to access any of the other sites on which that given
`user has a uSerid. The invention also prevents rogue Sites
`who are given the password generated according to the
`invention, from using the uSerid and password on other
`Sites-Something that cannot be prevented by one-time
`password Systems, where the Site is actually given the user's
`password.
`It will be seen, however, that the invention could in fact
`be combined with a one-time password Scheme. Here, the
`final cookie generating Step of the client proceSS would
`involve further convolving the Site-specific password with a
`challenge Sent by the Web Site each time the user accesses
`the web site. This is because once the Site-specific password
`has been given to a web site, the web site can also apply the
`challenge to the password to see if it matches the password
`returned by the client. So not only are the client's other sites
`Safe from a one-time eavesdropper, the Site to which the
`eavesdropper listens is also safe from future attackS.
`It will be seen that the invention is applicable to forms of
`web access other than HTTP and browsers: although other
`protocols like FTP and TELNET do not define a realm, it
`would still be possible to convolve a password with the
`domain name of a Server to produce a password that would
`be unique for a Site. Once again the best place to implement
`this change would be in the client Software.
`It would even be possible to include the invention in
`general purpose or dedicated applications running acroSS a
`network where entry of a user password could possibly be
`intercepted by a third party, once again by making a minor
`alteration to the log-in process.
`What is claimed is:
`1. In a client computer in a network, a method for
`generating a Secure password for enabling access acroSS Said
`network to applications on one or more remote computers,
`Said method comprising the Steps of:
`
`25
`
`35
`
`40
`
`45
`
`50
`
`55
`
`US 6,662,300 B1
`
`1O
`
`15
`
`4
`obtaining a String associated with one of Said applications
`on one of the or each remote computer;
`obtaining a password from a user of Said client computer;
`combining Said String and Said password irreversibly to
`generate a Secure password for accessing Said applica
`tion; and
`providing only Said Secure password to Said one remote
`computer for enabling access to Said one of Said
`applications.
`2. A method according to claim 1 further comprising the
`Step of:
`each Subsequent time Said client connects to Said one
`remote computer:
`obtaining a challenge from Said one remote computer;
`combining Said Secure password with Said challenge to
`provide a one-time Secure password; and
`providing Said one-time Secure password to Said one
`remote computer.
`3. Apparatus operable in a client computer in a network
`adapted to generate a Secure password for enabling access
`acroSS Said network to applications on one or more remote
`computers, Said apparatus comprising:
`means for obtaining a String associated with one of Said
`application on one of the or each remote computer;
`means for obtaining a password from a user of Said client
`computer,
`means for combining Said String and Said password irre
`Versibly to generate a Secure password for accessing
`Said application; and
`means for providing only Said Secure password to Said one
`remote computer for enabling access to Said one of Said
`applications.
`4. Apparatus according to claim 3 wherein Said applica
`tion is a web site and Said application associated String
`comprises Said one remote computer's domain name, Said
`apparatus comprising an Internet web browser adapted to
`combine Said domain name and Said password irreversibly
`to generate a Secure password for Said web site.
`5. Apparatus according to claim 4 wherein the application
`asSociated String further comprises said web site's realm,
`said web browser being adapted to irreversibly combine said
`realm and Said domain name before irreversibly combining
`the combination with Said password.
`6. Apparatus according to claim 3 wherein Said means for
`combining comprises a forward hash algorithm.
`7. Apparatus according to claim 3 wherein Said applica
`tion is one of an FTP or a Telnet site and said application
`asSociated String comprises said one remote computer's
`domain name, Said apparatus comprising an associated
`client adapted to combine Said domain name and Said
`password irreversibly to generate a Secure password for Said
`application.
`8. A computer program product comprising computer
`program code Stored on a computer readable Storage
`medium for, when executed on a computing device, provid
`ing a Secure password to one or more remote computers, the
`program code comprising means for performing the method
`as claimed in claim 1.
`
`Page 4 of 4
`
`